Pepperdine University uses Isora GRC from SaltyCloud to enhance its security culture and enable its mission

Having a small infosec team was no barrier to deploying a campus-wide security assessment solution that will provide the university’s leadership with powerful insights into the organization’s security posture.

About Pepperdine

Based in Malibu, Southern California, Pepperdine University has more than 12,000 students and 4,000 staff.

Pepperdine is a Christian university committed to the highest standards of academic excellence and Christian values, where students are strengthened for lives of purpose, service, and leadership.

That mission is supported by ensuring the security of Pepperdine’s IT environment and the privacy of its students, faculty, and staff, a task that is overseen by Kim Cary, the university’s Chief Information Security Officer (CISO).

“Here at the ISO (information security office), we’re really focused on helping our colleagues protect student data and preserve trust in the University,” Kim explains

“One important aspect of people protecting information is knowing what devices and information you have in inventory and how well your protections stack up against accepted security standards.”

With over 20,000 devices on Pepperdine’s network, including more than 4000 that are owned and managed by the university, the ISO is kept busy. Alongside helping the University comply with a number of regulations including FERPA, GLBA, HIPAA, CCPA, and GDPR, ISO also architects and operates a dozen different types of security systems, does security training and business process consulting to support secure operations.

“We have project priorities, but we’re a very operational team. And consequently, we have a lot of tasks that we need to get done for other teams in order for them to do their work. So we don’t just do analysis and compliance around here.”

Kim says he is supported by “three great analysts, each with their own complementary superpowers”. One of those analysts, Jason Gianni, adds: “We’re very agile, as far as our ability to, jump, switch, change priorities, and still make sure that the big things that we’re trying to accomplish: keeping everyone nice, safe, and secure in their digital, and sometimes physical, information environments.”

The challenge

Pepperdine suffered a serious IT security breach in 2008, exposing multiple weaknesses in its security posture which the university realized it needed to rectify.

“When I took over the security portfolio at Pepperdine in 2004, our security posture was “flat on our back”. There was no point in measuring the effectiveness of the security program at that time. There were glaringly obvious gaps that we needed to address,” Kim explains.

“So we spent nearly a decade making much-needed security improvements and upgrades to our network. Now we’re asking ourselves, ‘What’re we missing? Are we really measuring up the way we think we should?’”

After all the hard work and time spent improving the university’s security posture, Pepperdine needed to put a risk assessment framework in place so it could identify and mitigate risks in a structured and ongoing fashion.

To achieve this, the ISO needed a solution that could help them conduct and easily manage an organization-wide security assessment across Pepperdine’s 600+ departments and 4000+ faculty and staff members.

It was important that the solution enabled the university to gain insights into its security posture over time, could present a heatmap of security gaps across the organization, and would help empower executives by providing insights into their department’s security gaps.

Specifically, Pepperdine wanted a tool capable of identifying and measuring gaps against the CIS18 controls, and highlighting them in the form of a red/yellow/green heatmap.

“We really wanted to measure user compliance and understand the value of our information security program,” Jason explains.

“Not only so users maintain their own security, but also to help them report the things their environment has or doesn’t have – helping us identify those gaps in our organization.”

In addition to measuring the security posture, the ISO wanted to classify all the Pepperdine-owned devices on its network using its classification standards: were they Restricted, Confidential, or Public, and did they contain Financial, Health, or Social Security data?

“We wanted to give the executives and deans a new indicator on their control board that they could use to better manage the hidden information security risks in their piece of the organization,” Kim says.

“They would see the data from the security assessment and sign off on it. If you want people to do a good job, you need to give them proper feedback. Otherwise, any failures are the system’s fault. That’s where the security assessment data comes into play. It’s my opinion that they [executives] will see that data and say ‘Oh, there’s something we can do about that.’”

Providing Pepperdine’s leadership with visibility into information security risks, and giving them a sense of ownership of these issues, was a fundamental step in ensuring the university’s move towards establishing a security-focused culture.

The solution

To meet its security assessment requirements, Pepperdine chose Isora GRC from SaltyCloud, an assessment platform designed specifically to meet the governance, risk, and compliance (GRC) needs of highly distributed environments like universities.
Isora GRC makes fulfilling compliance requirements easier by automating and centralizing the assessment workflow—helping institutions align with a security framework, mitigate risks, and improve the organization’s security posture year-over-year all on a streamlined platform.

For Pepperdine, one of the advantages of Isora GRC was that it enabled the ISO team to establish a security assessment process despite having limited resources.

“Being a small team that does more than just analysis and compliance, one of the great things about SaltyCloud is that they were able to bring their security assessment expertise to the table,” mentions Kim.

Using Isora GRC, Pepperdine was able to build an organizational structure within the platform and assign risk assessment-related roles to appropriate staff from across the university.

Then, using the preloaded CIS18 questionnaire and the platform’s robust question logic and editing capabilities, the ISO was able to launch a customized security questionnaire to over 600 departments across the university.

With the API integration capabilities, the ISO was able to upload Pepperdine’s entire device inventory and assign each device to the appropriate unit and individual users. Using the university’s custom device classification standards, the ISO then had the ability to launch classification surveys for all hosts.

At the time of writing, the ISO was prioritizing urgent tasks related to COVID-19 before completing their first security assessment.

Once their first assessment is complete, Pepperdine will have access to insights into the overall security posture of the campus. Isora GRC will make it easy to identify and gauge the severity of all types of risk at a glance using a risk heat map. This will enable the ISO to dive deeper and identify critical but not so obvious security weaknesses at a department level, helping them better prioritize their information security efforts and areas for focus.

Using the security assessment data, stakeholder reports will be created for the executives and deans who oversee the individual departments. This will allow them to see their department in a new way and empower them to improve any critical information security gaps, ensuring an ongoing focus on enhancing Pepperdine’s security culture.

Setting up the organizational structure, uploading their inventory, and getting everything customized for their users was a positive experience for the ISO team.

“Working with the SaltyCloud team to set up our platform was a very positive experience,” says Kim.

“They helped us ensure that our instance and all of our data was accurately set up and they were very good at listening and responding to our requests.”

Pepperdine University now has a platform in place to improve and understand its security posture and potential weaknesses—down to a granular level—enabling it to apply what it learns from those insights to build a more secure organization

Thanks to Isora GRC from SaltyCloud, the university is better positioned to achieve its mission of protecting the privacy and security of the Pepperdine family.